6 Tips To Secure Webcams, Stop Keyloggers

If the FBI can activate webcams silently and record keystrokes, so can attackers. Here's how to defend yourself.

If malware remotely activated a webcam -- without turning on the light -- or silently logged keystrokes and infected a PC, would it be detected?

Don't be so sure. Marcus Thomas, a former assistant director with the FBI, recently told The Washington Post that, for the past several years, the bureau has been able to infect targeted systems with malware that lets it activate webcams remotely, record the video feeds, and log keystrokes. The capabilities reportedly have mostly been used for investigating terrorism and other serious crimes.

But if the FBI can launch camjacking attacks, so can others, including peeping Toms and sextortion practitioners. Furthermore, such attacks aren't rare. A Finnish hacker told the BBC in June that webcam access on the underground market went for $1 per target for a woman's webcam -- and just $0.01 per target for a man's webcam.

Keystroke recording has long been a feature of crimeware toolkits. Hackers seek any information they might turn to their financial gain. Take the stash of 2 million stolen passwords -- from Facebook, Google, Twitter, Yahoo, and other services -- recovered last week by Trustwave researchers. Neal O'Farrell, executive director of the Identity Theft Council, said the stolen access credentials were most likely harvested with keylogging malware.

How can camjacking and keylogging software be stopped? Here are six tips.

1. Antivirus tools alone won't save you You should always use antivirus antimalware products, but their success rate at spotting keylogging and webcam-hijacking software (whether developed by the FBI or criminals) isn't great. The security vendor OPSWAT recently took a sample of malware designed to log keystrokes, known as winpe/KeyLogger.SYK (a.k.a. PhrozenKeyloggerLite1-0R3_setup.zip), installed it on a test system, and scanned it using 40 different antivirus engines. As of last Thursday, only Norman's antivirus engine had detected the keylogger, OPSWAT's Alec Stokes wrote in a blog post. On Saturday, Virus Total reported that Comodo's antivirus engine had added a detection signature for the keylogger, but 46 other engines still weren't detecting it.

The results were even worse it came to testing whether 16 different antivirus engines could spot signs related to the malware running on a test system. "After a quick scan of running processes, none of the engines flagged the keylogger's process," Stokes wrote. In addition, one behavioral analysis engine also failed to sound alarms.

2. Employ anti-keylogging software Instead of simply attempting to detect keyloggers, O'Farrell recommends trying to disrupt them. KeyScrambler (which is free) and Guarded ID (which costs $30 annually for two computers) are among the many good options available, he told us via email. "Some work by instantly encrypting or scrambling all your keystrokes so that they're unusable to hackers. They won't protect you against every type of keylogging, but are a good defense against the more common software."

3. Beware phishing attacks How does camjacking or keylogging software get on to PCs? One typical infection vector is phishing, which is designed to trick an email recipient into opening a malicious executable. In fact, according to The Washington Post, that's the FBI's favored technique for infecting a system. However, the bureau uses it sparingly -- in part to keep references to the capability out of news stories -- and only after obtaining permission from a judge (which has not always been granted).

One defense against phishing is to ensure that systems remain fully updated and patched against all known vulnerabilities. A number of crimeware toolkits continue to exploit large numbers of systems that run outdated browser plugins (especially Java) with known vulnerabilities. Every successful exploit, of course, enables an attacker to install malware on the targeted PC.

4. Watch where you use passwords Avoid typing sensitive information in public locations, especially if you're using a wireless keyboard. "More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard," said O'Farrell.

Of course, sensitive data can also be intercepted by anyone with the right technology and tools to sniff nearby WiFi data -- for example when users are logged into a public hotspot or a rogue hotspot disguised as one. Accordingly, think twice before sending sensitive information via the Internet when connected to a public hotspot.

5. Cover your webcam Worried about someone hacking into your webcam? Cover it up with a piece of tape. That's long been the advice of leading information security professionals, including the cryptographer Whitfield Diffie. Mikko Hypponen, chief research officer at F-Secure, who recommends using a Band-Aid, since it won't gunk up the webcam lens.

6. Keep reviewing your countermeasures The above aside, someone -- say, an intelligence agency with deep pockets -- really, who really wants to capture your passwords will do so. "More than 25 years ago, a couple of former spooks showed me how they could capture a user's ATM PIN, from a van parked across the street, simply by capturing and decoding the electromagnetic signals generated by every keystroke," O'Farrell said. "They could even capture keystrokes from computers in nearby offices, but the technology wasn't sophisticated enough to focus in on any specific computer."

Of course, the technological state of the art has continued to advance from then. But when it comes to keylogging, your most likely foe will still be incidental attacks -- of the malware variety -- that attempt to harvest information from as many PCs as possible. Putting the above tools and practices in place will help block or disrupt these automated attacks.

Advanced persistent threats are evolving in motivation, malice, and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted intelligence gathering. Enterprises need to be on guard, too (free registration required).

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

I cerntainly agree, tools lthat stop data from leaving your PC are preferrable. But how many individuals have the time or technical know how to run the kind of scans you're referring to. Is there really no product that can sit on your desktop (and not be hacked) that tells you someone's messing with your PC/laptop? And that makes it simple lock them out?

What we need is a something that looks professional, or invisible, leaves no residue (I'm looking at you, Bandages) and will stay on. Something cheaper than a roll of tape or a pack of Post its. Something that can be cleaned and reused basically forever.

I think that webcamera blocker, www.webcamerablocker.com is the best product out there right now.

As an alternative to disrupting keyloggers, how about stopping data from leaving the PC? I recently detected the Win64/Alureon trojan on a client machine by installing Malwarebytes and detecting the flow of data the trojan was trying to send out of the PC. It took 3 days of running several scanners before detecting and identifying Win64/Alureon, but after running the removal tool the messages were stopped. Blocking unauthorized traffic from leaving the PC could work for keyloggers, trojans, and other forms of malware by stopping delivery of the data.

An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...

In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.